remove node id from acls when deleted

2025-10-06 09:22:42 +08:00 · 2025-02-14 19:59:58 +04:00
parent 41fa0b1bce
commit ed1f48a4b4
3 changed files with 74 additions and 0 deletions
--- a/logic/acls.go
+++ b/logic/acls.go
@@ -654,6 +654,78 @@ func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool {
 	}
 	return false
 }
+func RemoveNodeFromAclPolicy(node models.Node) {
+	var nodeID string
+	if node.IsStatic {
+		nodeID = node.StaticNode.ClientID
+	} else {
+		nodeID = node.ID.String()
+	}
+	acls, _ := ListAclsByNetwork(models.NetworkID(node.Network))
+	for _, acl := range acls {
+		delete := false
+		update := false
+		if acl.RuleType == models.DevicePolicy {
+			for i, srcI := range acl.Src {
+				if srcI.ID == models.NodeID && srcI.Value == nodeID {
+					if len(acl.Src) == 1 {
+						// delete policy
+						delete = true
+						break
+					} else {
+						acl.Src = append(acl.Src[:i], acl.Src[i+1:]...)
+						update = true
+					}
+				}
+			}
+			if delete {
+				DeleteAcl(acl)
+				continue
+			}
+			for i, dstI := range acl.Dst {
+				if dstI.ID == models.NodeID && dstI.Value == nodeID {
+					if len(acl.Dst) == 1 {
+						// delete policy
+						delete = true
+						break
+					} else {
+						acl.Dst = append(acl.Dst[:i], acl.Dst[i+1:]...)
+						update = true
+					}
+				}
+			}
+			if delete {
+				DeleteAcl(acl)
+				continue
+			}
+			if update {
+				UpsertAcl(acl)
+			}
+
+		}
+		if acl.RuleType == models.UserPolicy {
+			for i, dstI := range acl.Dst {
+				if dstI.ID == models.NodeID && dstI.Value == nodeID {
+					if len(acl.Dst) == 1 {
+						// delete policy
+						delete = true
+						break
+					} else {
+						acl.Dst = append(acl.Dst[:i], acl.Dst[i+1:]...)
+						update = true
+					}
+				}
+			}
+			if delete {
+				DeleteAcl(acl)
+				continue
+			}
+			if update {
+				UpsertAcl(acl)
+			}
+		}
+	}
+}

 func checkTagGroupPolicy(srcMap, dstMap map[string]struct{}, node, peer models.Node,
 	nodeTags, peerTags map[models.TagID]struct{}) bool {
--- a/logic/extpeers.go
+++ b/logic/extpeers.go
@@ -134,6 +134,7 @@ func DeleteExtClientAndCleanup(extClient models.ExtClient) error {
 		slog.Error("DeleteExtClientAndCleanup-update network acls:", "Error", err.Error())
 		return err
 	}
+	go RemoveNodeFromAclPolicy(extClient.ConvertToStaticNode())

 	return nil
 }
--- a/logic/nodes.go
+++ b/logic/nodes.go
@@ -312,6 +312,7 @@ func DeleteNode(node *models.Node, purge bool) error {
 	if err := DissasociateNodeFromHost(node, host); err != nil {
 		return err
 	}
+	go RemoveNodeFromAclPolicy(*node)

 	return nil
 }